Understanding AES-XTS – part 4

By Luther Martin —
July 16, 2009

In the cases where the sector size is not an integer multiple of the cipher's block size, AES-XTS uses ciphertext stealing. Ciphertext stealing is a technique that can be used to encrypt data that does not comprise an integer multiple of the cipher's block size. It does this by combing the last two blocks of ciphertext.

Suppose that we want to use a block cipher EK to encrypt m blocks of a message M1 through Mm to produce ciphertext blocks C1 through Cm, where M1 through Mm-1 are the same size as the cipher's block size but Mm is shorter, having only s bits instead of the full n. To encrypt this sequence of messages using ciphertext stealing, we encrypt the first m-2 blocks normally to get C1 = EK(M1), C2 = EK(M2), …, Cm-2 = EK(Mm-2).

To describe how the last two blocks are handled, let B[1,…,l] denote the lowest l bits of the message block B. The first step of ciphertext stealing is to create an intermediate value C = EK(Mm-1) and to parse this value into C = Cm[1,…s]||C'. The value of Cm-1 is then calculated as Cm-1 = EK(Mm[1,…,s]||C'). The following diagram shows how this works.

Ciphertext stealing is also used in RFC 2040, The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms, where it's used in the RC5-CTS mode. It's the standard way of dealing with a mismatch between the size of a block and the size of the plaintext.

Ciphertext stealing has been known for many years. The earliest description that I know of was in Cryptography: A New Dimension in Computer Data Security, by Carl Meyer and Stephen Matyas, which dates back to 1982. I'd be interested to hear about of an earlier one, if there's one out there.